Using a ‘sinkhole’ to squash the Nitol botnet

By William Jackson

Oct 02, 2012

Weeks after obtaining a temporary restraining order against the operators of the China-based 3322.org domain, Microsoft has reached an agreement with the operators to “sinkhole” traffic to 70,000 malicious subdomains associated with the Nitol botnet.

Microsoft announced on Oct. 2 that is has dismissed its suit against Peng Yong, who operates the domain, in return for his help in blocking the traffic. The Chinese Computer Emergency Response Team (CN-CERT) also is cooperating in the effort.

The case originated when Microsoft’s Digital Crimes Unit found malicious code preinstalled on a computer bought in China, incorporated with several other types of malware into counterfeit copies of Windows XP and Windows 7. Because Nitol was actively running and attempting to connect with command and control servers in China and in California, Texas, Georgia and Pennsylvania in the United States, researchers were able to study it.

Microsoft said the malware was likely installed, not at the factory, but by distributors or resellers along the supply chain.

As part of the Microsoft Active Response for Security program (Project MARS), the company went to the U.S. District Court for the Eastern District of Virginia and on Sept. 10 was granted a temporary restraining order against Nitol’s operators, allowing it to host the 3322.org domain that hosted the majority of malicious servers. The company reported that since Sept. 11 it has blocked more than 609 million connections from more than 7,650,000 unique IP addresses in the malicious subdomains.

Microsoft dismissed its suit Sept. 28 in exchange for Yong’s cooperation. He has agreed to block all connections to 70,000 subdomains on a Microsoft block list and direct them to a sinkhole computer operated by CN-CERT. So instead of communicating with their command-and-control servers, bots will be directed down the sinkhole.

Yong also will assist in identifying owners of infected computers and removing the malware.

This action, dubbed by Microsoft Operation b70, was the fifth such undertaken as part of Project MARS to disrupt botnets by legally attacking the underlying infrastructure.

“Fighting botnets will always be a complex and difficult endeavor,” Microsoft assistant general counsel Richard Domingues Bscovich wrote in the blog post. But recent cases show that the courts can be an effective weapon in that fight.